04 - Vulnerability Assessment
#Overview
Vulnerability assessment is the systematic process of identifying, classifying, and prioritizing security weaknesses in target systems. After reconnaissance and enumeration have identified open ports, running services, and exposed applications, the vulnerability assessment phase maps discovered versions and configurations to known vulnerabilities. This phase determines which attack vectors are viable before committing to exploitation.
The assessment methodology progresses through four stages: service version matching against CVE databases, exploitation database lookup, manual testing for logic flaws and misconfigurations, and BloodHound-based Active Directory attack path analysis. Each stage filters the attack surface down to actionable findings.
A critical distinction exists between vulnerability scanning (automated tooling like Nessus, OpenVAS, or NSE vuln scripts) and vulnerability assessment (human analysis of findings, including false positive elimination and exploitation feasibility evaluation). This guide emphasizes the latter, treating automated scanners as input to the analyst, not as authoritative conclusions.
#Methodology
#1. Service Version Matching
Map every identified service version to a CVE identifier. Use nmap -sV output as the primary input, then enrich with banner grabbing and manual version probes. Cross-reference versions against the NVD, vendor advisories, and Exploit-DB. Pay special attention to services where the reported version is a range (e.g., Apache 2.4.x) -- check the precise sub-version against the full CVE changelog.
#2. CVE and Exploit Database Lookup
For each matched CVE, determine whether a public exploit exists. Check Exploit-DB via searchsploit, Metasploit modules, GitHub PoCs, and Packet Storm. Prioritize exploits that match the exact target OS, architecture, and service pack level. An exploit that targets Windows Server 2019 may fail against Windows Server 2016 even for the same CVE.
#3. Manual Testing
Automated scanners miss logic flaws, race conditions, business logic bypasses, and many authorization issues. Manually test authentication mechanisms, input validation, file upload handling, and API endpoints. For web applications, test every parameter for injection, every session mechanism for weaknesses, and every role boundary for privilege escalation.
#4. BloodHound Attack Path Analysis
In Active Directory environments, upload SharpHound or bloodhound-python collection data to BloodHound Community Edition. Mark owned principals, then query for shortest paths to high-value targets (Domain Admins, Domain Controllers, sensitive groups). Analyze ACL edges for abusable relationships: GenericAll, WriteOwner, WriteDACL, ForceChangePassword, AddMember, AddSelf, and ReadGMSAPassword.
#Noise-Level Guidance
- Low: Service version checks (passive banner reading), CVE database queries (out-of-band), BloodHound read-only collection (SharpHound with default options)
- Medium: searchsploit local queries (no noise), NSE vuln scripts (nmap --script vuln), manual SQLi/XSS probing
- High: Automated vulnerability scanners (OpenVAS, Nessus), active fuzzing (wfuzz, ffuf with aggressive wordlists), Kerberos roasting (AS-REP and Kerberoasting requests)
#Common Pitfalls
- Pitfall: Trusting nmap version output without verification -- version strings can be spoofed or stripped by service configuration. Fix: Corroborate with manual banner grabs (netcat, telnet), error page analysis, and file path probes.
- Pitfall: Assuming a CVE is exploitable because a version matches -- patches may be backported without a version number bump, especially on Debian/Ubuntu. Fix: Check the distro-specific security tracker (e.g.,
debsecanon Debian, RHSA for RHEL) rather than relying solely on the upstream version string. - Pitfall: Running BloodHound with default collection and stopping there -- the
-c Allflag on SharpHound collects containers, GPOs, and ACLs that are essential for finding non-obvious paths. Fix: Always use-c Allin SharpHound or-c allin bloodhound-python. - Pitfall: Overlooking Kerberos clock skew -- Kerberos authentication fails if the time difference exceeds 5 minutes. Fix: Check Nmap output for server time and compare with local time; use
sudo ntpdate -u <DC_IP>orsudo rdate -n <DC_IP>if needed. - Pitfall: Scanning only TCP ports -- critical UDP services (SNMP, mDNS, LLMNR, NFS mountd, RPC) can expose version information and vulnerabilities. Fix: Run
sudo nmap -sU -Ffor common UDP ports during initial enumeration.
#OPSEC Considerations
- Detection: NSE vuln scripts generate detectable HTTP traffic patterns.
nmap --script vulnsends exploit payloads against multiple services simultaneously, which may trigger IDS/IPS alerts. - Detection: BloodHound collection via SharpHound.exe generates numerous LDAP queries in a short window. Modern EDR solutions flag this behavior. Consider using bloodhound-python from a Linux attack host or running SharpHound with throttling options (
--throttle,--loop). - Detection: Kerberoasting requests (TGS-REP packets) are logged by the KDC and can be detected by monitoring for RC4 encryption types in service tickets (Event ID 4769 with Ticket Encryption Type 0x17).
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| Nmap NSE vuln scripts | https://nmap.org/nsedoc/categories/vuln.html |
| searchsploit (Exploit-DB CLI) | https://www.exploit-db.com/searchsploit |
| NVD / NIST CVE Database | https://nvd.nist.gov/ |
| CVE Mitre | https://cve.mitre.org/ |
| BloodHound Community Edition | https://github.com/SpecterOps/BloodHound |
| SharpHound | https://github.com/SpecterOps/SharpHound |
| bloodhound-python | https://github.com/dirkjanm/BloodHound.py |
| Metasploit Framework | https://github.com/rapid7/metasploit-framework |
| WES-NG (Windows Exploit Suggester) | https://github.com/bitsadmin/wesng |
| linux-exploit-suggester | https://github.com/The-Z-Labs/linux-exploit-suggester |
| OpenVAS | https://www.greenbone.net/en/ |
#Source Machines
- Escape (Medium) -- ADCS vulnerability identification via Certify enumeration, ESC1 certificate template analysis
- Forest (Easy) -- Anonymous LDAP bind enumeration, AS-REP roastable account identification, BloodHound attack path analysis
- Timelapse (Easy) -- LAPS configuration assessment, PFX certificate enumeration
- Cascade (Medium) -- LDAP custom attribute enumeration (cascadeLegacyPwd), AD Recycle Bin enumeration
- Sauna (Easy) -- AS-REP roastable user discovery, BloodHound DCSync right analysis
- TombWatcher (Hard) -- BloodHound multi-hop path analysis, ADCS ESC15 identification, GMSA enumeration
- Certified (Medium) -- ACL abuse chain identification (WriteOwner + GenericWrite + ShadowCredentials), ADCS ESC9 analysis
- Rebound (Insane) -- RID cycling user enumeration, AS-REP + Kerberoast chaining, gMSA delegation audit, RBCD attack path analysis